Delivering Velocity Through DevSecOps
By Dave Egts, Chief Technologist, North America, Red Hat
Why is DevSecOps so important when it comes to mission velocity?
Innovation does you no good if you can’t secure it. Many organizations started DevOps and soon realized that they were slowed significantly or even stopped cold by the security team when they wanted to go into production. By making the security team an integral part of your DevSecOps strategy, they will go from blocker to champion. Their voices will be heard and they can work collaboratively with the development and operations teams to build in security from the start instead of bolting it on as an afterthought. The end result is the application of end-to-end security automation that delivers mission results faster and more securely.
How does Red Hat see DevSecOps evolving over the next few years?
Security threats will only increase in frequency and severity. As such, continuous security automation and authorization will be necessary. Also, agencies need to hold vendors and open source communities to a high standard when it comes to proper and objectively measurable security hygiene. Whatever the vendors and open source communities don’t do, the agencies will have to do, or assume the risk of not doing it which could be catastrophic.
You know the saying “many hands make light work.” Why is collaboration among technology partners so important in addressing government’s toughest challenges? Can you share an example where you saw this in action?
“Nobody is smarter than everybody.” A simple example of collaboration is the development of security baselines. In the past, everyone was willing to build upon someone else’s baseline but few were willing to share their own citing security or intellectual property reasons. Over time the Aqueduct Project formed under the Fedora project to build open source security automation baselines for Red Hat Enterprise Linux. Many in this group went on to start the SCAP Security Guide which has expanded beyond Linux and SCAP in its present form as the Compliance as Code project. By working together, agencies, integrators, and vendors are jointly developing security automation baselines that not only conform to government standards but also ship in the products themselves as vendor guidance. This makes government IT more secure, and more secure faster as they don’t have to do it all by themselves.